基于ACL的访问控制及安全策略的设计实验报告.docx
《基于ACL的访问控制及安全策略的设计实验报告.docx》由会员分享,可在线阅读,更多相关《基于ACL的访问控制及安全策略的设计实验报告.docx(36页珍藏版)》请在冰豆网上搜索。
基于ACL的访问控制及安全策略的设计实验报告
实验报告
课程名称
思科路由器开放实验
实验名称
基于ACL的访问控制及安全策略的设计实验
实验时间
2012
年
6
月
2-3
日
实验报告
实验名称
基于ACL的访问控制及安全策略的设计实验
实验类型
开放实验
实验学时
16
实验时间
2012.6.1-2012.6.2
一、实验目的和要求
访问控制列表(AccessControlList,ACL)是路由器和交换机接口的指令列表,用来控制端口进出的数据包。
验要求学生掌握访问控制列表的配置,理解ACL的执行过程;能够根据ACL设计安全的网络。
实验要求完成以下工作:
1.标准ACL。
实验目标:
本实验拒绝student所在网段访问路由器R2,同时只允许主机teacher访问路由器R2的telnet服务。
2.扩展ACL实验:
实验目标:
学生不能访问ftp,但能访问www,教师不受限制。
3.防止地址欺骗。
外部网络的用户可能会伪装自己的ip地址,比如使用内部网的合法IP地址或者回环地址作为源地址,从而实现非法访问。
解决办法:
将可能伪装到的ip地址拒绝掉。
二、实验环境(实验设备)
PC机,并安装CiscoPacketTracer软件或者是真实的思科网络设备(路由器交换机)。
三、实验原理及内容
一基本ACL实验:
1.标准ACL。
实验目标:
本实验拒绝student所在网段访问路由器R2,同时只允许主机teacher访问路由器R2的telnet服务。
实验拓补图如下:
实验配置如下:
Router>en
Router#conft
Enterconfigurationcommands,oneperline.EndwithCNTL/Z.
Router(config)#hostR1
R1(config)#intf0/0
R1(config-if)#ipadd10.20.170.1255.255.255.0
R1(config-if)#noshut
%LINK-5-CHANGED:
InterfaceFastEthernet0/0,changedstatetoup
%LINEPROTO-5-UPDOWN:
LineprotocolonInterfaceFastEthernet0/0,changedstatetoup
R1(config-if)#exit
R1(config)#ints0/0/0
R1(config-if)#ipadd192.168.12.1255.255.255.0
R1(config-if)#clockrate64000
R1(config-if)#noshut
%LINK-5-CHANGED:
InterfaceSerial0/0/0,changedstatetodown
R1(config-if)#exit
R1(config)#routereigrp100
R1(config-router)#network10.20.170.00.0.0.255
R1(config-router)#network192.168.12.0
R1(config-router)#noauto
R1(config-router)#end
R1#
%SYS-5-CONFIG_I:
Configuredfromconsolebyconsole
R1#copyrunstart
Destinationfilename[startup-config]?
Buildingconfiguration...
[OK]
Router>en
Router#conft
Enterconfigurationcommands,oneperline.EndwithCNTL/Z.
Router(config)#hostR2
R2(config)#ints0/0/1
R2(config-if)#ipadd192.168.12.2255.255.255.0
R2(config-if)#noshut
%LINK-5-CHANGED:
InterfaceSerial0/0/1,changedstatetoup
R2(config-if)#
%LINEPROTO-5-UPDOWN:
LineprotocolonInterfaceSerial0/0/1,changedstatetoup
R2(config-if)#exit
R2(config)#ints0/0/0
R2(config-if)#ipadd192.168.23.1255.255.255.0
R2(config-if)#clockrate64000
R2(config-if)#noshut
%LINK-5-CHANGED:
InterfaceSerial0/0/0,changedstatetodown
R2(config-if)#exit
R2(config)#intf0/0
R2(config-if)#ipadd10.20.168.1255.255.255.0
R2(config-if)#noshut
R2(config-if)#
%LINK-5-CHANGED:
InterfaceFastEthernet0/0,changedstatetoup
R2(config-if)#exit
%LINEPROTO-5-UPDOWN:
LineprotocolonInterfaceFastEthernet0/0,changedstatetoup
R2(config)#routereigrp100
R2(config-router)#net192.168.12.0
R2(config-router)#
%DUAL-5-NBRCHANGE:
IP-EIGRP100:
Neighbor192.168.12.1(Serial0/0/1)isup:
newadjacency
R2(config-router)#net192.168.23.0
R2(config-router)#net10.20.168.00.0.0.255
R2(config-router)#noauto
R2(config-router)#
%DUAL-5-NBRCHANGE:
IP-EIGRP100:
Neighbor192.168.12.1(Serial0/0/1)isup:
newadjacency
R2(config-router)#exit
R2(config)#exit
R2#
%SYS-5-CONFIG_I:
Configuredfromconsolebyconsole
R2#copyrunstart
Destinationfilename[startup-config]?
Buildingconfiguration...
[OK]
Router>en
Router#conft
Enterconfigurationcommands,oneperline.EndwithCNTL/Z.
Router(config)#hostR3
R3(config)#ints0/0/1
R3(config-if)#ipadd192.168.23.2255.255.255.0
R3(config-if)#noshut
R3(config-if)#
%LINK-5-CHANGED:
InterfaceSerial0/0/1,changedstatetoup
R3(config-if)#exit
R3(config)#intf0/0
R3(config-if)#ipadd10.20.66.1255.255.255.0
R3(config-if)#noshut
R3(config-if)#
%LINK-5-CHANGED:
InterfaceFastEthernet0/0,changedstatetoup
%LINEPROTO-5-UPDOWN:
LineprotocolonInterfaceFastEthernet0/0,changedstatetoup
R3(config-if)#exit
R3(config)#routereigrp100
R3(config-router)#net10.20.66.00.0.0.255
R3(config-router)#net192.168.23.0
R3(config-router)#noauto
R3(config-router)#
%DUAL-5-NBRCHANGE:
IP-EIGRP100:
Neighbor192.168.23.1(Serial0/0/1)isup:
newadjacency
R3(config-router)#end
R3#
%SYS-5-CONFIG_I:
Configuredfromconsolebyconsole
R3#copyrunstart
Destinationfilename[startup-config]?
Buildingconfiguration...
[OK]
配ACL之前,student去pingR2的三个接口的ip地址,也可以ping服务器10.20.168.7,应该ping得通。
R2#conft
Enterconfigurationcommands,oneperline.EndwithCNTL/Z.
R2(config)#access-list1deny10.20.170.00.0.0.255
R2(config)#access-list1permitany
R2(config)#ints0/0/1
R2(config-if)#ipaccess-group1in
R2(config-if)#exit
R2(config)#access-list2permithost10.20.66.10
R2(config)#linevty04
R2(config-line)#password501
R2(config-line)#login
R2(config-line)#access-class2in
R2(config-line)#end
R2#
%SYS-5-CONFIG_I:
Configuredfromconsolebyconsole
R2#copyrunstart
Destinationfilename[startup-config]?
Buildingconfiguration...
配ACL之后,student去pingR2的三个接口的ip地址,也可以ping服务器10.20.168.7,应该ping不通。
PC>ping10.20.168.7
Pinging10.20.168.7with32bytesofdata:
Requesttimedout.
Requesttimedout.
Requesttimedout.
Requesttimedout.
Pingstatisticsfor10.20.168.7:
Packets:
Sent=4,Received=0,Lost=4(100%loss),
[OK]
PC>ping192.168.12.2
Pinging192.168.12.2with32bytesofdata:
Requesttimedout.
Requesttimedout.
Requesttimedout.
Requesttimedout.
Pingstatisticsfor192.168.12.2:
Packets:
Sent=4,Received=0,Lost=4(100%loss),
配ACL之后,teacher机可以telnetR2,效果如下。
PC>telnet192.168.23.1
Trying192.168.23.1...Open
UserAccessVerification
Password:
501
R2>en
%Nopasswordset.
R2>
但只允许teacher机telnetR2,在R3上telnetR2不成功。
R3#telnet192.168.23.1
Trying192.168.23.1...
%Connectionrefusedbyremotehost
R3#telnet192.168.12.2
Trying192.168.12.2...
%Connectionrefusedbyremotehost
R3#telnet10.20.168.1
Trying10.20.168.1...
%Connectionrefusedbyremotehost
在student机上telnetR2不成功。
PC>telnet192.168.12.2
Trying192.168.12.2...
%Connectiontimedout;remotehostnotresponding
PC>telnet192.168.23.1
Trying192.168.23.1...
%Connectiontimedout;remotehostnotresponding
PC>telnet10.20.168.1
Trying10.20.168.1...
%Connectiontimedout;remotehostnotresponding
在R1上telnetR2不成功。
R1#telnet192.168.12.2
Trying192.168.12.2...
%Connectionrefusedbyremotehost
R1#telnet192.168.23.1
Trying192.168.23.1...
%Connectionrefusedbyremotehost
R1#telnet10.20.168.1
Trying10.20.168.1...
%Connectionrefusedbyremotehost
Teacher机:
PC>telnet192.168.12.1
Trying192.168.12.1...Open
[Connectionto192.168.12.1closedbyforeignhost]
PC>telnet10.20.170.1
Trying10.20.170.1...
%Connectiontimedout;remotehostnotresponding
PC>telnet10.20.170.10
Trying10.20.170.10...
%Connectiontimedout;remotehostnotresponding
R1#telnet10.20.66.1
Trying10.20.66.1...Open
[Connectionto10.20.66.1closedbyforeignhost]
R1#telnet192.168.23.2
Trying192.168.23.2...Open
[Connectionto192.168.23.2closedbyforeignhost]
R3>en
R3#telnet192.168.12.1
Trying192.168.12.1...Open
[Connectionto192.168.12.1closedbyforeignhost]
R3#telnet10.20.170.1
Trying10.20.170.1...
%Connectiontimedout;remotehostnotresponding
SERVER>telnet192.168.12.2
Trying192.168.12.2...
%Connectionrefusedbyremotehost
SERVER>telnet192.168.23.1
Trying192.168.23.1...
%Connectionrefusedbyremotehost
SERVER>telnet10.20.168.1
Trying10.20.168.1...
%Connectionrefusedbyremotehost
SERVER>telnet192.168.12.1
Trying192.168.12.1...Open
[Connectionto192.168.12.1closedbyforeignhost]
SERVER>telnet10.20.170.1
Trying10.20.170.1...
%Connectiontimedout;remotehostnotresponding
SERVER>telnet192.168.23.2
Trying192.168.23.2...Open
[Connectionto192.168.23.2closedbyforeignhost]
SERVER>telnet10.20.66.1
Trying10.20.66.1...Open
[Connectionto10.20.66.1closedbyforeignhost]
SERVER>telnet10.20.66.10
Trying10.20.66.10...
%Connectionrefusedbyremotehost
SERVER>
2扩展ACL实验:
实验目标:
学生不能访问ftp,但能访问www,教师不受限制。
实验拓补图如下:
实验配置如下:
R2#shaccess-lists
StandardIPaccesslist1
deny10.20.170.00.0.0.255
permitany(11match(es))
StandardIPaccesslist2
permithost10.20.66.10
R2#shrun
interfaceSerial0/0/1
ipaddress192.168.12.2255.255.255.0
ipaccess-group1in
!
linevty04
access-class2in
password501
login
!
删除ACL:
R2#conft
Enterconfigurationcommands,oneperline.EndwithCNTL/Z.
R2(config)#ints0/0/1
R2(config-if)#noipaccess-group1in
R2(config-if)#exit
R2(config)#noaccess-list1
R2(config)#linevty04
R2(config-line)#noaccess-class2in
R2(config-line)#nopassword
R2(config-if)#exit
R2(config)#noaccess-list2
可以用shaccess-lists和shrun查看。
R2#shaccess-lists
R2#shrun
R2#copyrunstart
Destinationfilename[startup-config]?
Buildingconfiguration...
[OK]
配ACL之前测试:
student的pc机测试结果如下:
PC>ping10.20.168.7
Pinging10.20.168.7with32bytesofdata:
Replyfrom10.20.168.7:
bytes=32time=203msTTL=126
Replyfrom10.20.168.7:
bytes=32time=141msTTL=126
Replyfrom10.20.168.7:
bytes=32time=157msTTL=126
Replyfrom10.20.168.7:
bytes=32time=143msTTL=126
Pingstatisticsfor10.20.168.7:
Packets:
Sent=4,Received=4,Lost=0(0%loss),
Approximateroundtriptimesinmilli-seconds:
Minimum=141ms,Maximum=203ms,Average=161ms
student机上测试:
PC>ftp10.20.168.7
Tryingtoconnect...10.20.168.7
Connectedto10.20.168.7
220-WelcometoPTFtpserver
Username:
cisco
331-Usernameok,needpassword
Password:
cisco
230-Loggedin
(passivemodeOn)
ftp>
ftp>ctrl+c
PacketTracerPCCommandLine1.0
PC>
配dns之后,也就是指定了服务器的ip地址10.20.168.7和域名的对应关系之后,也可以以域名的方式登录到ftp服务器。
PC>ftp
Tryingto
Connectedto
220-WelcometoPTFtpserver
Username:
cisco
331-Usernameok,needpassword
Password:
cisco
230-Loggedin
(passivemodeOn)
ftp>exit
Invalidornonsupportedcommand.
ftp>ctrl+c
PacketTracerPCCommandLine1.0
PC>
PC>ping10.20.66.10
Pinging10.20.66.10with32bytesofdata:
Replyfrom1